Free IAPP CIPP-E Actual Exam Questions - Question 10 Discussion

D imo, the VPN point is kind of a red herring. Not blocking VPNs just means users can pretend to be in the US, but it doesn’t really affect GDPR applicability directly. B feels cleaner since there’s no EU establishment.

A imo, the payment currency seems irrelevant here, but not accepting euros might hint the site isn’t targeting EU users intentionally. That could be a solid reason GDPR doesn’t apply. Also, the fact they don’t block non-US IPs doesn't really affect jurisdiction. So, ruling out B because GDPR can still apply without an EU base if targeting EU users. C and D don’t make much sense either since language and VPN use don’t determine GDPR responsibility.

B imo, no EU base means GDPR generally doesn’t apply here.

It’s B because no EU base means GDPR doesn’t kick in here.

Probably B, since no EU establishment means GDPR rules likely don't apply.

B/D? The lack of an EU establishment (B) is a strong point since GDPR targets controllers with EU establishments. VPN access (D) doesn’t really affect the legal obligation here; just because they can’t block VPNs doesn’t mean they target the EU.

B/C? The controller not having an EU establishment (B) seems key, but the website language (C) might show it’s not targeting EU users. Payments not in euros (A) feels irrelevant here.

A/C? Payment in USD only and no EU currency might mean no real offering to EU residents, plus the site not being in EU languages suggests it’s not targeting the EU market. Both could support why GDPR doesn’t apply here.

B imo, no EU base means GDPR likely doesn’t apply here.

Option B: Does it matter if the operator has no EU establishment even if they target EU users? The question doesn’t say if EU residents can sign up or not. Wouldn’t targeting EU users trigger GDPR anyway?